Datawiza
Back to blog
February 11, 2026BlogIndustry

DORA Third-Party Access: Enforcing Strong Authentication (MFA) for Vendors and MSPs

dora third party access

Third-party access is one of the fastest ways a password compromise becomes a major ICT incident. Under DORA, financial institutions are expected to manage ICT risk across internal and external dependencies—so vendor access pathways must be governed, monitored, and hardened.

If you need the core requirement breakdown for strong authentication, start here: DORA MFA requirements.

Why third-party access is a DORA hotspot

Most organizations have MFA for employees. The gaps typically show up in:

  • MSP/outsourcer admin access
  • Vendor support portals
  • Remote support tooling (screen-share, “support agents,” jump boxes)
  • Shared admin credentials and “temporary” accounts
  • Emergency access that bypasses normal controls

These are exactly the access paths that create outsized operational and regulatory impact.

Where MFA gets bypassed in real life

1) Support tools and remote admin channels

Common scenario: a vendor uses a support tool that isn’t tied to your IdP, and MFA isn’t consistently enforced (or is enforced by the vendor only).

Control objective: MFA must be enforced for the vendor’s identity, not just “a connection.”

2) Shared accounts (“vendor_admin”) and emailed passwords

Shared credentials are difficult to monitor and nearly impossible to defend during audit.

Control objective: named accounts + MFA + traceable logs.

3) Break-glass access that becomes normal access

Break-glass should be rare, governed, and reviewed—not a daily workaround.

Control objective: strict governance: approvals, time-bound access, monitoring, and post-access review.

A practical DORA playbook for vendor MFA (what CISOs can implement)

Step 1: Create a vendor access inventory

For each vendor/MSP:

  • Access method (VPN, portal, bastion, support tool)
  • Systems touched (especially privileged systems)
  • Whether access is interactive or API-based
  • Authentication method and MFA enforcement point

Step 2: Define “must-have” MFA rules

CISO-friendly baseline:

  • MFA required for all third-party interactive access
  • Stronger requirements for privileged actions (admin consoles, production systems)
  • Time-boxed access for high-risk sessions
  • No shared accounts (or a plan to eliminate them)

Step 3: Close the technical gap

Depending on how the vendor connects:

  • Enforce MFA via your IdP (preferred)
  • Enforce MFA at a gateway/proxy when apps/tools can’t integrate
  • Require MFA + device trust for privileged sessions
  • Centralize logs so you can prove enforcement

Step 4: Contract + governance

Ensure contracts / third-party policies require:

  • MFA usage and minimum factor types
  • named accounts and audit logs
  • notification requirements for compromised credentials
  • review cadence

Audit evidence checklist (vendor access)

  • Vendor access inventory (systems + methods + ownership)
  • MFA enforcement proof (policy exports / screenshots)
  • Sample access tests demonstrating MFA challenge
  • Logs showing third-party sign-ins + outcomes
  • Exception register for any non-MFA access paths, with approvals + review dates
  • Annual review record (or more frequent for critical vendors)

Where Datawiza helps (without rewriting apps)

Diagram showing Datawiza Access Proxy enforcing strong authentication (MFA) between users and any web app, using either Datawiza built-in MFA or MFA from an identity provider.
Diagram showing Datawiza Access Proxy enforcing strong authentication (MFA) between users and any web app, using either Datawiza built-in MFA or MFA from an identity provider.

Datawiza Access Proxy enforces strong multi-factor authentication (MFA) in front of any web app—using either Datawiza MFA or your existing IdP—without rewriting the application.

When vendor access touches legacy web apps or portals that can’t support modern auth, Datawiza Access Proxy can enforce strong authentication in front of the app, allowing:

  • consistent MFA enforcement
  • centralized evidence (logs + policies)
  • reduced reliance on app rewrites to meet governance goals

👉 Book a Technical Demo

Datawiza is Easy to Get Started

Sign up to secure your AI agents and critical enterprise apps

Try Datawiza